Iptables-Prerouting everything with some exceptions

F

floh79

Member
Jun 30, 2019
29
1
6
46
Hi, I'm trying to achieve following:

I want everything, what comes in with TCP protocol, will be natted to 10.10.100.1 except:
- Source IP 100.100.100.1 to destination port 22, 8006
- Source IP 100.100.100.2 to destination port 22, 8006
- Source IP 100.100.100.3 to destination port 22, 8006
- Source IP 100.100.100.4 to destination port 8006
- Source IP 100.100.100.5 to destination port 8006
- any source IP to Destination Port 12345

This is my current iptables-rules file:
Code: 
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

-A PREROUTING -i enp9s0 -s 100.100.100.1 -p tcp -m multiport ! --dports 22,8006,12345 -m comment --comment "Server01" -j DNAT --to-destination 10.10.100.1
-A PREROUTING -i enp9s0 -s 100.100.100.2 -p tcp -m multiport ! --dports 22,8006,12345 -m comment --comment "Server02" -j DNAT --to-destination 10.10.100.1
-A PREROUTING -i enp9s0 -s 100.100.100.3 -p tcp -m multiport ! --dports 22,8006,12345 -m comment --comment "Server03" -j DNAT --to-destination 10.10.100.1
-A PREROUTING -i enp9s0 -s 100.100.100.4 -p tcp -m multiport ! --dports 8006,12345 -m comment --comment "Server04" -j DNAT --to-destination 10.10.100.1
-A PREROUTING -i enp9s0 -s 100.100.100.5 -p tcp -m multiport ! --dports 8006,12345 -m comment --comment "Server05" -j DNAT --to-destination 10.10.100.1
-A PREROUTING -i enp9s0 -p tcp ! --dport 12345 -j DNAT --to-destination 10.10.100.1

-A PREROUTING -i enp9s0 -p udp -j DNAT --to-destination 10.10.100.1
-A POSTROUTING -s 10.10.100.0/31 -o enp9s0 -j MASQUERADE
COMMIT

The issue is for example Port 8006 for all five servers is not working and port 22 is not working for Server04 and Server05. I understand its because of the last tcp rule "-A PREROUTING -i enp9s0 -p tcp ! --dport 12345 -j DNAT --to-destination 10.10.100.1". So how can I fix it?

Best regards
Floh
 
Last edited:
I believe I solved it now.

/etc/ipset.conf:
Code: 
create pvenode hash:ip family inet hashsize 1024 maxelem 65536 bucketsize 12 initval 0xxxxxxxxx
add pvenode 100.100.100.1
add pvenode 100.100.100.2
add pvenode 100.100.100.3
create office hash:ip family inet hashsize 1024 maxelem 65536 bucketsize 12 initval 0xxxxxxxxx
add office 100.100.100.4
add office 100.100.100.5

/etc/iptables.rules:
Code: 
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

-A PREROUTING -i enp9s0 -m set --match-set pvenode src -p tcp -m multiport ! --dports 22,8006,12345 -m comment --comment "PVE Nodes" -j DNAT --to-destination 10.10.100.1
-A PREROUTING -i enp9s0 -m set --match-set office src -p tcp -m multiport ! --dports 8006,12345 -m comment --comment "Office" -j DNAT --to-destination 10.10.100.1
-A PREROUTING -i enp9s0 -m set ! --match-set pvenode src -m set ! --match-set office src -p tcp -m multiport ! --dports 12345 -j DNAT --to-destination 10.10.100.1

-A PREROUTING -i enp9s0 -p udp -j DNAT --to-destination 10.10.100.1
-A POSTROUTING -s 10.10.100.0/31 -o enp9s0 -j MASQUERADE
COMMIT
 
You must log in or register to reply here.
Top Bottom